In our previous topic, we talked about a collection of Spanning Tree Protocol features that could help to reduce the Convergence Time with a Spanning Tree Protocol, what here in this topic, we wanna talk about another collection of Spanning Tree features, this time though these features are design to helping increase the stability of the Spanning Tree, and by increasing the stability we talking about things that might help prevent a layer 2 Loop is in example, we got 4 features we wanna talk about in this topic. The first one is BPDUGuard
And this is gonna work typically handed hand with Portfast that we talked about in the previous session, we gonna see this can add some extra Loop Prevention Protection on a port that configured for Portfast, if we accidently plug in a Switch to that Port, that might potentially cause a loop. Then we gonna take a look at BPDUFilter
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
And this is an interesting one because normally we think BPDU’s are good think they can help prevent loops but there is a time, we might want to filter out and not send those BPDU, we will see how to do that. Next, we take a look at Root Guard
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Let’s imagine that, we got a Spanning Tree Topology and you know that this(SwA) is gonna be a primary Root Bridge and this(SwB) is gonna be secondary Root Bridge, and you don’t want any other Bridges ever becoming the Root, you don’t want somebody accidently or intentionally introducing the Switch on the network with a Superior BPDU and try to take over the Role of the Root, well what we can do is say “if there is a switch of a specific ports claiming to be the Root, we not going to believe that switch”, and feature that often gonna be configured along with Root Guard, is a LoopGuard
LoopGuard is another Loop prevention mechanism as you might be able to guess by name but it can help us out to situation for example where, “we have a Unidirectional Link, that stop receiving BPDU’s from a Designated port on a segment, that must mean it’s OK for us to go active, not necessary maybe we have a Unidirectional link failure”, Loop Guard can help us to protect from that. Let’s get ride into a discussion of first of these features BPDU Guard. BPDU Guard can work handed hand with Portfast, remember with Portfast, we can tell an Access Port that, it should not go through the Listening and Learning state, if the device connected to that Port, we were essentially saying “Mr. Port, i promise, i am only going connect End Station”, “i am not going to connect Switch or anything else that might cause a loop”, so please don’t make, a connect device wait through 15 seconds of Listening and 15 Seconds Learning, let’s go active almost immediately, an addition to doing that, Portfast has a Loop prevention mechanism built in, if we have a port enabled for Portfast, and its sees BPDU coming on that port, it realizes that it’s been lying too, it looks like somebody attached a switch to this port and when Portfast starts to see these BPDU’s, it can start Blocking however, it doesn’t www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
happen instantly, there can be a brief time where we do have a loop, and BPDU Guard can help prevent that, temporarily loop that we could have during that time that a Portfast, port transitions into Blocking. And we can enable this globally or we can do a port by port bases, if we enable it Globally, it’s only going to apply to ports that have Portfast enable and we said that, what is gonna do is immediately start Blocking Traffic, we going to specifically go into a “Err-Disabled State” on that port if we receive a BPDU because that Port has been configured for Portfast.
We promised, we are not going to attach anything that should be sending a BPDU, if we see that very first BPDU, BPDU Guard is gonna shut that Port down, and go into a Err-Disabled State. By the way how do you recover from an Err-Disabled State, after you correct the issue that was causing a problem, and the first place a way to come out the Err-Disabled State is, to simply some people call it, Bouncing the Port, what i mean by that is, we go into interface Configuration mode and we do a “Shutdown” followed by “No Shutdown”, we administratively take it down, bring it backup, and of the condition causing the error is no longer there, that’s gonna clear out the Err-disabled State, if you take a look at the topology on picture
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
We got port fastetherent 1/0/1, that has Portfast enabled, and if we connect end station.
To that port great, that’s really, we intended for, we might have a Laptop with an SSD, instead of regular spinding Hard Disk Drive, it might boot up very very quickly and it might send out a DHCP Broadcast and if Portfast were not enabled, it might not able to obtain an IP Address because that port is not yet active, if it’s sending out that DHCP www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Broadcast, however, if we accidently or somebody intentionally plugs in a Switch to this port that Switch Sw5 in this case, is gonna be sending BPDU.
And which that first BPDU is seen on that port because we now have BPDU Guard enabled that port is immediately go into an Err-Disabled State.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Now we understand the theory of BPDU Guard, what it trying to accomplish let’s take a look at configuration of BPDU Guard.
That’s how to enable this on interface bases but we can enable it globally, we could say in global configuration mode.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
And Verification command, we can issue is
Our Next Spanning Tree stability feature is BPDUFilter, and normally we like BPDU, we want BPDU’s to be exchanged between our Switches because the BPDU’s help us to make a Loop-free Spanning Tree topology, what BPDUFilter can do is, prevent a port from sending BPDU’s and we can enable this on a Port by Port bases or we can enable it globally and if we enable it globally, it’s going to apply to ports that have Portfast enabled
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
But the big question is when should we use this, Cisco cautions us, we should only use BPDUFilter when necessary, well when would something like this be necessary, i have sketched on picture here.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
A couple of different Autonomous System, remember what an Autonomous System is, Autonomous System is simply a network under a single administrative control, these 2 Autonomous System A and B, they could be your company and your Service Provider if you have a Layer 2 Ethernet connection with your Service Provider or maybe its within your Company you got 2 different Department that have their own IT Staff, they manage their own Switches that configure the own STP parameters but they still need to interconnect. Well maybe you don’t want to be exchanging Spanning Tree information between these 2 different Autonomous System, even with in the same company, BPDUFilter can be used to do that, BPDUFilter can be used to prevent one Autonomous System from sending BPDU’s into another Autonomous System, and i mentioned that we could enable this at the Port level or Globally, the behavior is actually bit different and its most dangerous, were in most danger of creating a loop if we enabled this at the Port level.
We will talk about the distinguish when we get into the configuration in a movement, but let’s visualize what this might do for us, if we setup the BPDUFilter may be on Switch C in an Autonomous System A.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
That port on SW C, it’s not going to be able to send out a BPDU, it’s not gonna get down to Autonomous System B, because BPDUFilter is going to filter that out, but think about this, what if Switch D in Autonomous System B were sending a BPDU into a Switch C, with that BPDUFilter that we configured for Switch C, would it ignore that BPDU coming from Switch D. Well the answer of that depends on how we configure it, do we configure it at Port level or do we configure it globally, let’s take a look at configuration and talk about the different behaviors that we get from Port by Port Configuration vs Global Configuration. First here, how we set it up at the Port Level
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Here what that does, when we set this up the Port level, it’s very plain and simple, we telling that port do not send any BPDU’s and if you receive any BPDU’s ignore them, and that could be a bit dangerous because we ignoring any incoming BPDU’s, we receiving BPDU indicating that we were connecting to a Switch and we just ignoring those, we might get into Loop Situation, it’s safer if we enable this globally, here how we do that we say.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
And here what happened if we enable it globally, The Switch is bit more curious, the Switch says “ if i receives BPDU’s on one of these Portfast ports that have been globally enabled for BPDUFilter, if one of those ports receives the BPDU that Ports is gonna lose its Portfast status, so in this case, we not ignoring incoming BPDU’s instead incoming BPDU’s their viewed as warning, look at, we got a Switch attached to the this port maybe we shouldn’t be on Portfast mode anymore, and we gonna transition out of Portfast mode. Infect, when that port first comes up it’s going to try to seek out and see, we have any attach devices that would be sending us BPDU’s and its gonna send “10 BPDU’s of its own”, and if it receives any BPDU’s in returned then it’s going to say “No! we should not be a Portfast Port, and we gonna transition out of the Portfast Mode”, to see if we have a BPDUFilter enabled or not, we can give the command.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
We can see how many BPDU we sent/received, after we enable the BPDUFilter, the number of BPDU has been sent that should not be incrementing anymore because we are not gonna be sending any additional BPDU’s.
############################################################################## ## Take a Break of Tea/Coffee, then we will go to next feature ## ##############################################################################
Our next feature is Root Guard, with Root Guard we want to prevent somebody from intentionally or accidentally adding a Switch to network that might send us a superior BPDU and claim to be the Root, for example, i got couple of Switches on Picture.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
That i don’t mine, if they become the Root, Sw1 that’s gonna be my Primary Root Bridge and Sw2 is gonna be my secondary Root Bridge, however, i would not want Sw3 to become the Root, and we have enable the Root Guard on the bottom ports of Sw1 and Sw3 to say “if i receive the superior BPDU coming into this port, we are not gonna believe”, we gonna go into a Root-inconsistent State, here how we set it up, we gonna configure Ports, that should not connect us to the Root Bridge, and if we do receive us a superior BPDU coming in one of those ports, this ports is gonna start Blocking traffic, Specifically its gonna go into a Root-Inconsistent State.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
So, let’s imagine that “Sw3 does send a superior BPDU up to Switch Sw1”, when it (Sw1) gets that superior BPDU, it says “i am enable for RootGuard this is a superior BPDU and i am not gonna trust that”, instead i am going to transition this port to a Root-inconsistent State.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Until those superior BPDU stop, and as soon as they stop we transition out of the Root Inconsistent State, we don’t have to administratively do anything to recovered from that like we did with the Err-Disabled State, now let’s see how to set this up, Root Guard is only going to be configured at the Port level, you would not want to be Globally enable it, but we going to strategically go into those ports, of a which we would not expect to see the Root Bridge, here we gonna go into interface
We would do that all of the ports, of which we would not expect to see the Root Bridge, if we did have a port, that was in the Root-Inconsistent State, here how we can be determined that we could say
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
This example, its look like interface fastetherent 1/0/2 is in the Root-Inconsistent State.
And our Final feature that, we wanna to talk about in this topic is Loop Guard, this is something that we want to configure in conjunction with Root Guard, what’s its gonna do is, cause a Non-Designated Port to enter a Loop-Inconsistent State which is Blocking State, if it’s stop receiving the BPDU.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Here why we do that, normally on a network segment a Designated Port is gonna be sending out BPDU’s and the Non-Designated port receives the BPDU’s, now this NonDesignated Port stops receiving the BPDU’s, it’s assume that the topology is Loop free and it’s start to transition to the forwarding State if it were Blocking. However, maybe its stopped receiving BPDU’s not because, we have a Loop-free topology, may be have in one example, “a Unidirectional link, and if we have Unidirectional Link may be, we were not receiving BPDU’s but we can still send them”, we could create a one way Loop around this topology however, with LoopGuard enabled when the Non-designated Ports stops receiving BPDU’s it transition into a Loop- Inconsistent state where it blocks traffic, and its gonna remain that state until, it receives the BPDU and then it automatically transitions to the appropriate state maybe Blocking or maybe Forwarding, based on that BPDU and we can enable this on a Port by Port bases, we would probably do that on all ports that did not have a Root Guard enabled if we were using Root Guard or we can turned this on Globally and if we turned it globally, it’s going to apply to all Point-to-Point links.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Let’s visualize how this might help us out. On picture notice, we have a link between Sw2 and Sw3 and the port on Sw3 is currently Blocking but we know that every network segment has a Designated Port and that Designated port, in this case is Switch Sw2 fastethernet 1/0/2 interface and let’s say that, we have a Unidirectional Link Failure, we have something like we talked about earlier called a Backhoe fade, here comes big Backhoe Fade into the network and it damaged the Fiber Optic Cable.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
i am no longer able to receive traffic from Sw2 but we can send traffic and that can cause a Loop if we did not have a Loop Guard enabled, but we do Switch Sw3 says “i am no longer receiving BPDU’s on this link, so i am going to enter Loop-Inconsistent State”.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
Let’s see how to set this up, first we can go into Interface Configuration Mode
That will enable it Port by Port, and to enable it Globally we would say
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
And to see its enabled or not, we can give Verification Command
And you can see the second line of output of bottom it says LoopGuard default, it is enabled that only can force Spanning Tree Protocol feature that can help us increase the stability of our Spanning tree topology, we talked about BPDUGuard, BPDUFilter, RootGuard and the LoopGuard.
That’s the last session of this Spanning Tree Module, now in our upcoming module we will discuss about VLAN’s
If You Like the Post. Don’t forget to “Subscribe/Share/Comment”. Thank You.
www.ccnaccnplinux.com®
All rights reserved. ©Best Cisco CCNA CCNP and Linux PDF Notes www.cisconotes.com®
